The swap_to_stable_denom function in the custody contracts swaps all other native tokens into a specific one. The function creates swap messages for all the other native tokens and adds them as sub-messages, and handles the reply only when the last sub-message succeeds. Upon receiving the reply, the contract sends the swapped tokens (i.e., rewards) to the overseer contract.
In cases where the last sub-message fails, the custody contract will not receive a reply, and therefore the rewards are left in the contract. The rewards are locked in the contract until someone triggers swap_to_stable_denom again, and the last swap succeeds. However, if the last swap consistently fails in some period for any reason, the total rewards will be locked in the contract during that period. As a result, users cannot get the rewards they are supposed to receive in that period.
Lines of code
https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/money-market-contracts/contracts/custody_beth/src/distribution.rs#L110-L115 https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/money-market-contracts/contracts/custody_bluna/src/distribution.rs#L109-L114
Vulnerability details
Impact
The
swap_to_stable_denom
function in the custody contracts swaps all other native tokens into a specific one. The function creates swap messages for all the other native tokens and adds them as sub-messages, and handles the reply only when the last sub-message succeeds. Upon receiving the reply, the contract sends the swapped tokens (i.e., rewards) to the overseer contract.In cases where the last sub-message fails, the custody contract will not receive a reply, and therefore the rewards are left in the contract. The rewards are locked in the contract until someone triggers
swap_to_stable_denom
again, and the last swap succeeds. However, if the last swap consistently fails in some period for any reason, the total rewards will be locked in the contract during that period. As a result, users cannot get the rewards they are supposed to receive in that period.Proof of Concept
Referenced code: custody_beth/src/distribution.rs#L110-L115 custody_bluna/src/distribution.rs#L109-L114
Recommended Mitigation Steps
Consider handling the reply on either success or failure, i.e., using
ReplyOn::Always
, to avoid the failure of the swap to cause tokens to be locked.